Initial Containerfile for tas-clients

charts/trusted-artifact-signer/Chart.yaml

@@ -33,4 +33,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.8
+version: 0.1.9

charts/trusted-artifact-signer/README.md

@@ -3,7 +3,7 @@
 
 A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift
 
-![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 ## Overview
 
@@ -84,21 +84,30 @@ Kubernetes: `>= 1.19.0-0`
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
-| configs.cosign.appsSubdomain | DNS name to be used to generate environment variables for cosign commands. By default, in OpenShift, the value for this is apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') | string | `""` |
-| configs.cosign.create | whether to create the cosign namespace | bool | `true` |
-| configs.cosign.image | Image containing the cosign binary as well as environment variables with the base domain injected. | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"securesign/cosign","version":"v2.1.1"}` |
-| configs.cosign.name | Name of deployment | string | `"cosign"` |
-| configs.cosign.namespace | namespace for cosign resources | string | `"cosign"` |
-| configs.cosign.rolebindings | names for rolebindings to add clusterroles to cosign serviceaccounts. The names must match the serviceaccount names in the cosign namespace. | list | `["cosign"]` |
-| configs.ctlog.create | Whether to create the ctlog namespace | bool | `true` |
-| configs.ctlog.namespace | Namespace for ctlog resources | string | `"ctlog-system"` |
+| configs.clientserver.consoleDownload | This can only be enabled if the OpenShift CRD is registered. | bool | `true` |
+| configs.clientserver.image.pullPolicy |  | string | `"IfNotPresent"` |
+| configs.clientserver.image.registry |  | string | `"quay.io"` |
+| configs.clientserver.image.repository |  | string | `"sallyom/tas-clients"` |
+| configs.clientserver.image.version |  | string | `"httpd"` |
+| configs.clientserver.name |  | string | `"tas-clients"` |
+| configs.clientserver.namespace |  | string | `"trusted-artifact-signer-clientserver"` |
+| configs.clientserver.namespace_create |  | bool | `true` |
+| configs.clientserver.route | Whether to create the OpenShift route resource | bool | `true` |
+| configs.cosign_deploy.enabled |  | bool | `false` |
+| configs.cosign_deploy.image | Image containing the cosign binary as well as environment variables with the base domain injected. | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"securesign/cosign","version":"v2.1.1"}` |
+| configs.cosign_deploy.name | Name of deployment | string | `"cosign"` |
+| configs.cosign_deploy.namespace |  | string | `"cosign"` |
+| configs.cosign_deploy.namespace_create |  | bool | `true` |
+| configs.cosign_deploy.rolebindings | names for rolebindings to add clusterroles to cosign serviceaccounts. The names must match the serviceaccount names in the cosign namespace. | list | `["cosign"]` |
+| configs.ctlog.namespace |  | string | `"ctlog-system"` |
+| configs.ctlog.namespace_create |  | bool | `true` |
 | configs.ctlog.rolebindings | Names for rolebindings to add clusterroles to ctlog serviceaccounts. The names must match the serviceaccount names in the ctlog namespace. | list | `["ctlog","ctlog-createtree","trusted-artifact-signer-ctlog-createctconfig"]` |
 | configs.fulcio.clusterMonitoring.enabled |  | bool | `true` |
 | configs.fulcio.clusterMonitoring.endpoints[0].interval |  | string | `"30s"` |
 | configs.fulcio.clusterMonitoring.endpoints[0].port |  | string | `"2112-tcp"` |
 | configs.fulcio.clusterMonitoring.endpoints[0].scheme |  | string | `"http"` |
-| configs.fulcio.create | Whether to create the fulcio namespace | bool | `true` |
-| configs.fulcio.namespace | Namespace for fulcio resources | string | `"fulcio-system"` |
+| configs.fulcio.namespace |  | string | `"fulcio-system"` |
+| configs.fulcio.namespace_create |  | bool | `true` |
 | configs.fulcio.rolebindings | Names for rolebindings to add clusterroles to fulcio serviceaccounts. The names must match the serviceaccount names in the fulcio namespace. | list | `["fulcio-createcerts","fulcio-server"]` |
 | configs.fulcio.server.secret.name |  | string | `""` |
 | configs.fulcio.server.secret.password | password to decrypt the signing key | string | `""` |
@@ -112,19 +121,20 @@ Kubernetes: `>= 1.19.0-0`
 | configs.rekor.clusterMonitoring.endpoints[0].interval |  | string | `"30s"` |
 | configs.rekor.clusterMonitoring.endpoints[0].port |  | string | `"2112-tcp"` |
 | configs.rekor.clusterMonitoring.endpoints[0].scheme |  | string | `"http"` |
-| configs.rekor.create | whether to create the rekor namespace | bool | `true` |
-| configs.rekor.namespace | namespace for rekor resources | string | `"rekor-system"` |
+| configs.rekor.namespace |  | string | `"rekor-system"` |
+| configs.rekor.namespace_create |  | bool | `true` |
 | configs.rekor.rolebindings | names for rolebindings to add clusterroles to rekor serviceaccounts. The names must match the serviceaccount names in the rekor namespace. | list | `["rekor-redis","rekor-server","trusted-artifact-signer-rekor-createtree"]` |
 | configs.rekor.signer | Signer holds secret that contains the private key used to sign entries and the tree head of the transparency log When this section is left out, scaffold.rekor creates the secret and key. | object | `{"secret":{"name":"","private_key":"","private_key_file":""}}` |
 | configs.rekor.signer.secret.name | Name of the secret to create with the private key data. This name must match the value in scaffold.rekor.server.signer.signerFileSecretOptions.secretName. | string | `""` |
 | configs.rekor.signer.secret.private_key | Private encrypted signing key | string | `""` |
 | configs.rekor.signer.secret.private_key_file | File containing a private encrypted signing key | string | `""` |
-| configs.trillian.create | whether to create the trillian namespace | bool | `true` |
-| configs.trillian.namespace | namespace for trillian resources | string | `"trillian-system"` |
+| configs.trillian.namespace |  | string | `"trillian-system"` |
+| configs.trillian.namespace_create |  | bool | `true` |
 | configs.trillian.rolebindings | names for rolebindings to add clusterroles to trillian serviceaccounts. The names must match the serviceaccount names in the trillian namespace. | list | `["trillian-logserver","trillian-logsigner","trillian-mysql"]` |
-| configs.tuf.create | whether to create the tuf namespace | bool | `true` |
-| configs.tuf.namespace | namespace for tuf resources | string | `"tuf-system"` |
+| configs.tuf.namespace |  | string | `"tuf-system"` |
+| configs.tuf.namespace_create |  | bool | `true` |
 | configs.tuf.rolebindings | names for rolebindings to add clusterroles to tuf serviceaccounts. The names must match the serviceaccount names in the tuf namespace. | list | `["tuf","tuf-secret-copy-job"]` |
+| global.appsSubdomain | DNS name to generate environment variables and consoleCLIDownload urls. By default, in OpenShift, the value for this is apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') | string | `""` |
 | rbac.clusterrole | clusterrole to be added to sigstore component serviceaccounts. | string | `"system:openshift:scc:anyuid"` |
 | scaffold.copySecretJob.backoffLimit |  | int | `1000` |
 | scaffold.copySecretJob.enabled |  | bool | `true` |

charts/trusted-artifact-signer/ci/ci-values.yaml

@@ -6,13 +6,19 @@
 # For root & key requirements, see ../requirements-keys-certs.md
 # Note: User must substitute for localhost below.
 ---
+global:
+  appsSubdomain: localhost
+
 configs:
-  cosign:
-    appsSubdomain: localhost
+  clientserver:
+    consoleDownload: false
+    route: false
+  cosign_deploy:
+    enabled: true
   fulcio:
-    create: false
+    namespace_create: false
   rekor:
-    create: false
+    namespace_create: false
 
 # github.com/sigstore/helm-charts/charts
 scaffold:

charts/trusted-artifact-signer/templates/clientserver-deployment.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+  labels:
+    app: {{ .Values.configs.clientserver.name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.configs.clientserver.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.configs.clientserver.name }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: {{ .Values.configs.clientserver.name }}
+      containers:
+      - name: tas-clients
+        image: "{{ .Values.configs.clientserver.image.registry }}/{{ .Values.configs.clientserver.image.repository }}:{{ .Values.configs.clientserver.image.version }}"
+        #image: quay.io/sallyom/tas-clients:httpd
+        imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: 8080
+            protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL

charts/trusted-artifact-signer/templates/clientserver-route.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.configs.clientserver.route }}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: {{ .Values.configs.clientserver.name }}
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+spec:
+  port:
+    targetPort: 8080-tcp
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: edge
+  to:
+    kind: Service
+    name: {{ .Values.configs.clientserver.name }}
+    weight: 100
+  wildcardPolicy: None
+{{- end }}
+

charts/trusted-artifact-signer/templates/clientserver-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+

charts/trusted-artifact-signer/templates/clientserver-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.configs.clientserver.name }}
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+spec:
+  ports:
+  - name: 8080-tcp
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: {{ .Values.configs.clientserver.name }}
+  type: ClusterIP
+

charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.configs.clientserver.consoleDownload }}
+apiVersion: console.openshift.io/v1
+kind: ConsoleCLIDownload
+metadata:
+  name: cosign
+spec:
+  description: cosign is a CLI tool that allows you to
+    manage sigstore artifacts.
+  displayName: cosign - Command Line Interface (CLI)
+  links:
+  - href: "https://{{ $.Values.configs.clientserver.name }}-{{ $.Values.configs.clientserver.namespace }}.{{ $.Values.global.appsSubdomain }}/clients/cosign"
+    text: Download cosign for Linux x86_64
+{{- end }}

charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.configs.clientserver.consoleDownload }}
+apiVersion: console.openshift.io/v1
+kind: ConsoleCLIDownload
+metadata:
+  name: gitsign
+spec:
+  description: gitsign is a CLI tool that allows you to
+    digitally sign and verify git commits.
+  displayName: gitsign - Command Line Interface (CLI)
+  links:
+  - href: "https://{{ $.Values.configs.clientserver.name }}-{{ $.Values.configs.clientserver.namespace }}.{{ $.Values.global.appsSubdomain }}/clients/gitsign"
+    text: Download gitsign for Linux x86_64
+{{- end }}
+

charts/trusted-artifact-signer/templates/cosign-deployment.yaml

@@ -1,29 +1,30 @@
+{{- if .Values.configs.cosign_deploy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ .Values.configs.cosign.name }}
-  namespace: {{ .Values.configs.cosign.namespace }}
+  name: {{ .Values.configs.cosign_deploy.name }}
+  namespace: {{ .Values.configs.cosign_deploy.namespace }}
 spec:
   selector:
     matchLabels:
-      app: {{ .Values.configs.cosign.name }}
+      app: {{ .Values.configs.cosign_deploy.name }}
   template:
     metadata:
       labels:
-        app: {{ .Values.configs.cosign.name }}
+        app: {{ .Values.configs.cosign_deploy.name }}
     spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 65533
-      {{- if $.Values.configs.cosign.rolebindings }}
-      serviceAccountName: {{ index .Values.configs.cosign.rolebindings 0 }}
+      {{- if $.Values.configs.cosign_deploy.rolebindings }}
+      serviceAccountName: {{ index .Values.configs.cosign_deploy.rolebindings 0 }}
       {{- end }}
       containers:
-      - name: {{ .Values.configs.cosign.name }}
-        image: "{{ .Values.configs.cosign.image.registry }}/{{ .Values.configs.cosign.image.repository }}:{{ .Values.configs.cosign.image.version }}"
+      - name: {{ .Values.configs.cosign_deploy.name }}
+        image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
         env:
         - name: OPENSHIFT_APPS_SUBDOMAIN
-          value: {{ .Values.configs.cosign.appsSubdomain }}
+          value: {{ .Values.global.appsSubdomain }}
         - name: OIDC_AUTHENTICATION_REALM
           value: "sigstore"
         - name: FULCIO_URL
@@ -38,4 +39,5 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - ALL
+            - ALL
+{{- end }}

charts/trusted-artifact-signer/templates/cosign-sa.yaml

@@ -1,8 +1,10 @@
-{{- if $.Values.configs.cosign.rolebindings }}
+{{- if .Values.configs.cosign_deploy.enabled }}
+{{- if .Values.configs.cosign_deploy.rolebindings }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  namespace: {{ .Values.configs.cosign.namespace }}
-  name: {{ index .Values.configs.cosign.rolebindings 0 }}
+  namespace: {{ .Values.configs.cosign_deploy.namespace }}
+  name: {{ index .Values.configs.cosign_deploy.rolebindings 0 }}
+{{- end }}
 {{- end }}

charts/trusted-artifact-signer/templates/namespace.yaml

@@ -1,5 +1,5 @@
 {{- range $configKey, $config := .Values.configs }}
-{{- if $config.create }}
+{{- if $config.namespace_create }}
 ---
 apiVersion: v1
 kind: Namespace